Home / I Think I’ve Been Hacked
Immediate Guidance

You think you’ve been hacked.
What do you do now?

The first hours after a cyber incident are critical. Here’s the step-by-step guidance you need to contain the damage, notify the right people, and protect your business.

Emergency Response

The first things you need to do
right now.

🚨 IMMEDIATE ACTION REQUIRED
You’ve Discovered a Breach. Here’s Your Response.
NOW
Isolate affected systems. Disconnect any device that shows signs of compromise. This prevents the attacker from spreading further or stealing more data. If it’s your payment system, stop online payments immediately.
NOW
Preserve evidence. Do NOT restart systems. Do NOT delete logs. Do NOT clean anything up. You’ll need this evidence for forensics, law enforcement, and regulators.
WITHIN 1 HOUR
Contact your IT provider. Tell them what happened. Ask them to start forensic investigation. If you don’t have an IT provider, call a forensic firm now.
WITHIN 1 HOUR
Notify your senior team. Don’t keep it secret hoping it goes away. Get management and board members informed immediately.
WITHIN 2 HOURS
Reset critical passwords. If you suspect account compromise, reset passwords for email, banking, payment systems, and critical business applications from a clean device.
WITHIN 4 HOURS
Contact your insurers. If you have cyber liability insurance, notify them immediately. Many policies require rapid notification.
WITHIN 24 HOURS
Determine scope. Work with your forensic team to understand: What was accessed? What data was compromised? When did it happen? How did they get in?
WITHIN 48 HOURS
Assess notification obligations. Under GDPR, if personal data was breached, you may need to notify affected individuals and the ICO within 72 hours. Contact a lawyer if you’re unsure.
WITHIN 72 HOURS
ICO notification if required. If you process UK personal data and the breach meets GDPR threshold, you must notify the ICO. Complete your notification through the ICO’s breach reporting portal.
The Difficult Decisions

Questions only you can answer
with expert guidance.

Should you pay the ransom?
This is a decision that requires expert guidance. Many insurance policies include guidance on ransom payment. Do not pay without legal and insurance advice. Paying doesn’t guarantee data recovery or non-publication.
Should you involve the police?
For serious incidents, yes. Contact the National Crime Agency (NCA) or local police. For fraud, contact Action Fraud. Having law enforcement involved provides documentation and may help with insurance claims.
What do you tell your customers?
The truth, clearly and quickly. Transparency builds trust. Explain what happened, what data was affected, what you’re doing, and what steps customers should take. Delayed disclosure breeds suspicion.
Do you need a forensic firm?
For anything serious, yes. Don’t rely solely on your IT provider. Independent forensic investigation establishes facts, protects liability, and provides evidence for regulators and law enforcement.
Get Expert Help Now

You don’t have to handle this alone.
We’re here to help.

If you’re currently dealing with an incident, call us immediately. We’ll help you assess the situation, advise on next steps, connect you with the right experts, and support you through the response and recovery process.

Call an Expert Now